Is Your “Father’s IAM” Putting You at Risk?

Identity and access management (IAM) is all about ensuring that the right people, have the right access, to the right resources and that you can prove that all the access is right. But as any of us that are heavily involved in IAM know, that is much easier said than done. There’s a lot that goes into getting all those things “right.”

First you must set up the accounts that enable a user to get to the right stuff – that is often called provisioning (and its dangerous sister, de-provisioning). Second, in order for that account to grant the appropriate access, there has to be a concept of authorization which provides a definition for what is allowed and not allowed with that access. And third, there should be some way to make sure that provisioning and de-provisioning are done securely (and ideally efficiently), and that the associated authorization is accurate – i.e. everyone has exactly the access they need, nothing more and nothing less.

Everyone has been provisioning and de-provisioning since we first started networking PCs. And as soon as larger numbers of users began using those computers, this has forced the need to implement some concept of authorization. The problem is that the practices that worked so well in these relatively closed networks with relatively few users simply don’t cut it in today’s open (close to boundary-less), fluid, and modern networks. The result is loads of inefficiency, elevated risk, and the potential for catastrophic breaches.

In recent research sponsored by One Identity, the dangers of old-fashioned practices for provisioning and de-provisioning and authorization were stripped bare before the world. Stated plainly, the practices and technologies that served you so well in the past, simply are inadequate in today’s digitally transformed world.

Here’s some of the key findings gleaned from responses from more than 900 IT-security professionals worldwide, with a little exposition on each:

87% reported that they have dormant accounts and 71% were concerned about them – that means that more than three-quarters of those interviewed have not de-provisioned accounts that are no longer needed, either because the user is no longer with the organization or has switched roles and most of those are worried about it.

Only 1/3 expressed that they were “very confident” that they even knew which dormant user accounts exist. So not only do they have dangerous entry points into their networks, most people couldn’t even tell you what accounts they were.

97% have a process for identifying dormant accounts but only 19% have tools to help find them. In addition 92% report that they regularly check for dormant accounts. This is where there is a disconnect. If the majority have dormant accounts and most have a process to find them, obviously the process is not working. In spite of best efforts (or as I would say old-fashioned de-provisioning practices) the risk is still there.

The risk is not in the fact that there are dormant accounts, the risk is what can be done with those hidden doors into your systems and data. Most high-profile breaches are the result of a bad actor compromising a legitimate user account. That could be gaining access through phishing or social engineering or hunting for and finding a dormant account that the organization doesn’t even know exists. Once in, a series of lateral moves and rights escalation activities can result in access to those systems and that data that you are trying to protect.

So here’s where the second set of data becomes remarkably intriguing. We asked the same 900+ IT security professionals a series of questions about the rights and permissions that their users possess, and here were the big reveals:

Only one in four expressed that they were “very confident” that user rights and permissions are correct. That means that ¾ of our respondents were unsure of the fundamental aspect of access control – authorization. Any user with excessive rights (rights that are more than necessary to do the job) is an easy path for bad actors to execute those lateral moves they are so good at.

Less than 1/3 are “very confident” that users are de-provisioned properly. By properly we mean fully and immediately (only 14% of respondents reported that users were de-provisioned immediately upon a change in status). De-provisioning is the process of turning off accounts and revoking rights when they are no longer needed. Poor de-provisioning, either through outdated and cumbersome manual processes or limited tools, is the primary cause of dormant accounts.

In fact, 95% reported that while they have a process for de-provisioning, it requires IT intervention. In other words, someone has to put hands on a keyboard to make it happen. Any amount of time that an unneeded account remains “open” is an invitation for disaster as evidenced by so many of the high-visibility breaches over the past several years.

So what can be done? There are many ways to modernize these processes and get IAM right. Here’s a few suggestions:

Determine a single source of the truth for authorization. Define business roles once and use them everywhere. And most importantly, let the line-of-business be the decision makers here. Many instances of inappropriate rights are simply the byproduct of IT doing the best they can with the knowledge they’ve been given. It’s all too common for the line-of-business to ask IT to “give Joe the same rights as Bill” when there was no oversight into what rights Bill has, how he got them, and whether they are still appropriate for the job he does.

De-provision immediately and completely. Tools exist that can update permissions at the instance status changes in an authoritative data source. For example, as soon as an employee’s status in the HR system switches from active to inactive, that user’s access rights across every system in the enterprise (including cloud-based services) can also be immediately terminated as well – effectively closing all those doors and eliminating dormant accounts.

Implement identity analytics. A new class of IAM solution called identity analytics will proactively and constantly evaluate your systems to find instances where user rights are out of alignment with what is “right.” These technologies quickly find dormant accounts, mis-provisioned accounts, and instances of rights elevation that are often the smoking gun in breach detection and prevention.

Just like the technology we rely on every day is evolving and the boundaries expanding, the identity and access management practices we use to secure access to those systems must evolve as well. As our survey reaffirmed, what worked well a few years ago is almost certainly inadequate given today’s realities. But there is hope, with simple shifts in responsibility, IAM practices, and IAM technologies you can significantly reduce risk, modernize your business, and sleep better at night.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.